Re: syscall arguments in audit records

From: David Woodhouse <dwmw2 infradead org>

To: Linux Audit Discussion <linux-audit redhat com>

Subject: Re: syscall arguments in audit records

Date: Fri, 25 Mar 2005 22:12:15 +0000

Please don't top-post, and please don't use HTML.
On Fri, 2005-03-25 at 15:53 -0600, Debora Velarde wrote:
> Some of the system call arguments have useful information; they're not
> just pointing to a memory address.
This is true, but some are pointers to memory. We need to be careful
here -- whenever we dereference such a pointer, we need to make sure
that the contents of the memory it points to are not changed between the
time we read them, and the time the system call itself calls
copy_from_user() to read them again. Basically, we need to use callbacks
like the filesystem name hooks or the ones in the IPC code. We can't
just log the memory contents on syscall entry or exit.
If more such hooks are required, we need to identify and implement them.
--
dwmw2